The "Login As" functionality (introduced in
INP-904
-
Getting issue details...STATUS
) allows administrator to login on Front-End as any other user. This is especially useful during debugging processing as well, because developer can't possibly know password of every user in database.

Current implementation works like this:

administrator:

goes to "User Management > Users" section in Admin Console

selects one user in the grid

presses "Login As" button on toolbar

in JavaScript:

link to Front is built in JavaScript, that contains "u:OnLoginAs" event and ID of selected user

new window opens with that link

as permission check for "u:OnLoginAs" event "administrator logged-in into Admin Console" fact is used

Proposing to use one-time login tokens (introduced in [security] One time authentication token system [5.2.2-B1]) instead to have uniformed process with one, that user naturally have on Front-End. This way there won't be need to duplicate part of "u:OnLogin" event inside the "u:OnLoginAs" event.